A one-time password (OTP) is a temporary code that's valid for a single login (or a short time window) and is used as an extra proof of identity alongside your regular password, making it a common form of multifactor authentication.
A one-time password (OTP) is exactly what it sounds like: a password you use once and then it's gone. Instead of typing the same static password every time, you get a short code (often 6 digits) that's only good for one login or a brief window, like 30 seconds. After that, it's dead.
The whole point is that even if an adversary steals or guesses your regular password, they still can't get in without that fresh code. The CED describes this in EK 1.2.C.3: when you enable multifactor authentication (MFA), the system asks for "extra proof of identity, such as a one-time code," on top of your password. That one-time code is the OTP. It might arrive by text, show up in an authenticator app, or be generated by a hardware token. Because it changes constantly and expires fast, a stolen password alone isn't enough to break in.
OTPs live in Unit 1: Introduction to Security, specifically Topic 1.2, Suspicious Website Logins. They're the concrete payoff of learning objective AP Cybersecurity 1.2.C, which asks you to explain how to make authentication stronger. EK 1.2.C.3 names the one-time code as the classic MFA factor that adds a second layer beyond the password. So the OTP isn't a side detail. It's the answer to the question "the password got compromised, now what?" Knowing why OTPs work ties together everything in 1.2 about weak authentication and password attacks.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryMultifactor Authentication / MFA (Unit 1)
MFA is the strategy, and the OTP is the most common tool that makes it happen. MFA means proving who you are with more than one type of factor, and the one-time code is usually the second factor stacked on top of your password.
Online Password Attack (Unit 1)
In an online password attack (EK 1.2.A.1), adversaries try logging in with common or stolen passwords. An OTP shuts this down because guessing or stealing the password gets them nothing without the fresh code they can't predict.
Brute Force and Dictionary Attacks (Unit 1)
These attacks automate password guessing, including dictionaries built from your personal info (EK 1.2.B.2). An OTP defeats them by adding a second factor that can't be brute-forced from a wordlist, so the attacker's whole strategy collapses.
Authentication Logs (Unit 1)
Authentication logs reveal the signs of an attack from EK 1.2.A.2, like many failed logins or attempts from unknown devices. When OTP-based MFA is on, those failed attempts stay failed, because the attacker never clears the second factor.
Expect OTPs to show up in Unit 1 questions about strengthening authentication. A multiple-choice stem might describe a stolen password scenario and ask which control would still protect the account, where the answer points to MFA using a one-time code. You should be able to explain WHY an OTP helps, not just name it: because it expires fast and changes every time, a stolen or guessed password is useless on its own. No released FRQ has used this term verbatim, but it fits perfectly into any response asking you to recommend stronger authentication or explain how to defend against online password attacks.
A regular password is something you set once and reuse for every login, so if it leaks, the account is exposed until you change it. A one-time password is generated fresh, valid for a single use or a short window, and then worthless. The OTP doesn't replace your password; it adds a second factor on top of it.
A one-time password (OTP) is a temporary code that works for only one login or a short time window, then expires.
The OTP is the classic second factor in multifactor authentication, named in EK 1.2.C.3 as the "one-time code" added on top of your password.
Because it constantly changes and expires fast, an OTP protects you even when an adversary has stolen or guessed your regular password.
OTPs directly counter online password attacks, brute force, and dictionary attacks, since cracking the password alone no longer gets the attacker in.
On the exam, be ready to explain WHY OTPs strengthen authentication, not just identify that they do.
It's a temporary code valid for a single login or short time window, used as a second factor in multifactor authentication. The CED references it in EK 1.2.C.3 as the "one-time code" that adds an extra layer of identity proof beyond your password.
No. An OTP is added on top of your password as a second factor, not instead of it. That stacking is the whole idea of multifactor authentication: you need both the password AND the fresh code to get in.
A regular password is static, so you reuse it every time and it stays valid until you change it. A one-time password is generated fresh, used once, and then expires, which is why a stolen OTP is far less dangerous than a stolen static password.
Online password attacks, brute force, and dictionary attacks all target your password. Even if an attacker guesses or steals it, they still can't produce the constantly changing OTP, so the second factor blocks them.
Not quite. MFA is the broader strategy of requiring more than one type of identity proof, and the OTP is the most common tool used to deliver that second factor. Think of MFA as the goal and the OTP as one way to reach it.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.